This procedure is for the administrators to perform the settings and PC setup for the YubiOn Portal site.
Small-scale implementations are recommended for the scale of one to around a few dozens of PCs which are within easy access of administrators.
Please read the notes before proceeding with the implementation.
Table of Contents
1. Notes
Be sure to check the system requirements before proceeding with the implementation.
Windows administrative privileges are required for setting up the PC.
Do not change the configuration of YubiKey to Slot1.
YubiKey has two configurable Slots with features such as One Time Password (OTP) and Challenge Response (used in offline authentication).
Slot1: The initial state is configured to Yubico OTP. If you change your Slot1 information, you will not be able to use it on YubiOn Portal.
Slot2: The initial state is unconfigured.
If the offline authentication is used, a challenge response setting is required in Slot2.
Prior preparation is required to enable offline authentication of the PC.
Before distributing YubiKey to users, please refer to YubiKey offline settings to configure YubiKey.
About the PC identification ID
YubiOn Portal uses SID or UUID as a terminal identification ID.
The default identification ID in each OS is as follows
Windows: SID
macOS: UUID
*If you have a duplicate Windows SID due to PC kitting or other reasons, you will not be able to use YubiOn Portal.
If your SID is duplicated and unavailable, please contact us.
2. Implementation flow
Portal registration
[Administrator Action] Register for the YubiOn Portal. After registration, purchase a paid plan (Standard or higher).
Member registration / settings
[Administrator Action] Register users (members) and set your YubiKey up through the YubiOn Portal.
Installation
[Administrator Action] Install the software on each PC.
Service settings
[Administrator Action] Configure the service settings for two-factor authentication.
The first person to register for the YubiOn Portal will be the representative of your organization.
You will receive a confirmation email upon newly registering.
Click on this link to confirm your registration.
3-2. First login
From the login screen, login with your registered email address and password.
Enter the correct email address and password to login to YubiOn Portal.
About customer login
For the representatives of the organization (those who first registered for the YubiOn Portal), only the password will be required to log in if a YubiKey has not been assigned.
Once the YubiKey is set up, the user will be presented with a two-factor authentication login.
Notes: If all YubiKeys assigned to a user are removed, the customer login screen will appear.
The first time you log in, the simple settings screen appears.
4. Simple settings
Skip this step if you've already done the simple settings.
4-1. YubiKey registration
Set your YubiKey up for login. Next time you log into the YubiOn Portal, you will require the YubiKey which you set up here.
4-2. Selection of settings
Click on "You do not configure your PC..." as this procedure does not configure the operator's own PC.
Info
Once you skip this step, the simple settings screen will no longer appear when you log in.
5. Switching to a paid plan
If you are already a paid plan customer, please skip this step.
Purchase of paid plans
This function is for paid plans (Standard / Premium).
Please purchase a plan when using this service.
The following explanation assumes the use of a paid plan.
6. Member registration
Register members (users) for the YubiOn Portal.
Click on “Member management” from the menu on the left side of the screen.
Click on the “Member Registration” icon.
In the member registration window, input the “ID/Member name/Email address/Password” to add a new member and click the “Register” button.
The “ID” is an item to facilitate sorting and filtering. Please use this field by setting an employee number, etc.
* You can register even if you have not entered any information.
Click “OK” when a confirmation message is displayed.
Once the registration is complete, the added members will be displayed in the member list.
7. YubiKey assignment
YubiOn Portal provides two-factor authentication using YubiKey in addition to the ID and Password.
In order for member of your organization to take advantage of the two-factor authentication, they must first be assigned a YubiKey.
Click on the member to whom a YubiKey will be assigned to from the member list.
Click the “YubiKey Assignment” button.
Select the input field and plug the YubiKey you want to assign to the member into the USB port.
Tap the YubiKey to input the one-time password.
Click “OK” when a confirmation message is displayed.
When the assignment has been completed, the assigned YubiKeys will be displayed in the YubiKey list.
8. Setup
The following details the steps the administrator can follow to set up the PCs.
To set up two-factor authentication on a PC, one will need to install a Windows Logon Service application, henceforth referred to as Client Tools.
Before Use
Please be sure to check the system requirements before installing the software.
The installation requires Windows administrative privileges.
Also, after the installation of the client tool, the PC may reboot.
Save important files and close all applications before installation.
8-1. Software download
From the menu on the left side of the screen, click the "PC" icon, then click "Download".
Click "Download" button.
The "WlsInstaller_x64.msi" or "WlsInstaller_x86.msi" will be downloaded.
Save it to any location.
Info
About downloading
The 32-bit or 64-bit download button will appear according to your device.
When installing software for a different architecture
Click on "Download tools for different architecture".
Download software.
8-2. Software installations
Run "WlsInstaller_x86.msi" or "WlsInstaller_x64.msi"
The installation of the client application,
which requires Windows administrator privileges or an administrator password, will start.
Caution
In the environments where Microsoft "SmartScreen" feature is enabled, a warning may be displayed when downloading files or starting installation.
If a warning is displayed, go on with the installation according to the following steps.
* Do not execute files if you are not sure of whether or not it was downloaded from this portal's website as it may be an illegal file.
Click on "More info".Click the displayed "Run anyway" button.
Install
Read the software license agreement and check the "Agree" checkbox.
Then, click on "Install".
When the installation is complete, the completion screen will be displayed.
When you exit with the "Launch configuration tool after the runtime installation is complete" checked,
the configuration tool will automatically start.
Continue to install the required runtime.
At the User Account Control confirmation pop-up, click "Yes".
The installation of the required runtime will be started.After the runtime is installed, a pop-up will appear prompting you to reboot.
Note
If you don't need to reboot, no pop-up will appear.
If you don't see a pop-up, the installation is complete at this point.
Click "Yes" on the confirmation message.The PC will be rebooted and the client tool installation will be completed.
If you don’t want the user to uninstall it
The optional function “Uninstall Control” can be used to hide the software from the list of installed applications and prevent uninstallation.
Please contact us for more information on using the “Uninstall Control” option.
8-3. PC setup
Note
Administrator privileges for YubiOn Portal are required to make the following settings.
Set up the PC while it is connected to the network.
Start from the start menu.
Skip this step if you already have the client tool running.
In the "Email Address" and "Password" fields, enter the email address and password that you used to register for the YubiOn Portal.
Plug the registered YubiKey into the USB port.
Select the "OTP" field and tap on the YubiKey to enter your one-time password.
After entering the information, the setting screen will appear.
Click "Assign accounts and authenticators" in the configuration tool you just launched.
Click "Register" button.
Select "Account", "Member" and " Authenticator" and click the "OK" button.
About the display name of YubiKey
The default name of the YubiKey displayed in the "Authenticator to Use" is the public ID of the YubiKey (first 12 characters of the one-time password).
Click the "OK" button on the Setup Complete pop-up.
Click "Exit" to close the configuration tool.
When set up by a general account
YubiKey assignments can also be made by non-administrators.
In this case, the connection between the Windows account you are currently logged into and the YubiKey you used to log in to the client tool is completed immediately.
Non-administrative members cannot be assigned a specific account and YubiKey.
8-4. Distribute YubiKey to users
After completing PC setup, distribute YubiKeys to your users.
Check before YubiKey distribution
Prior preparation is required to enable offline authentication of the PC.
Before distributing the YubiKeys to users, please refer to the YubiKey offline settings to configure the YubiKeys.
If you are setting up multiple people’s PCs, repeat steps 6 - 8 for all required users.
This concludes the set up.
9. Service settings
In the service configuration screen, configure the settings for the two-factor authentication service.
9-1. General service settings
Click the "PC" icon from the menu on the left side of the screen.
Click on "Service setting".
Configure the following settings to match your security policy
Configuration items
Configuration Contents
Default
1. Cache logon expiration date
The number of days available for offline authentication.
Disabled
2. Screen lock
Lock the screen when the YubiKey is unplugged.
Disabled
3. Forced YubiKey logon
Make logging onto the PC with YubiKey mandatory.
Disabled
4. Authentication failure lock
Locks the PC after a certain number of failed log on attempts.
It can also be used to unlock the PC only after a certain amount of time has elapsed.
Disabled
5. Automatic email notification
Email notifications when there is a change in PC status or service settings.
Enabled
Representative
In the initial view of the service settings, "Default Policy" is selected.
This step is based on the "Default Policy".
Info
About the Group policy
Group policy allows dividing of service settings for various groups.
For more information, see Group Policy Settings.
About the Master Key
Master Key enables users to set up a master YubiKey that can log on to all PCs and accounts.
For more information, see Master Key Settings.
9-2. Cache logon settings
Setting an expiration date for offline authentication allows you to log on offline for a specified number of days from the date of the last successful PC logon.
If disabled, you will not be able to log on in environments without a network connection.
Click the "Enable" radio button.
Enter the expiration date.
For free use, only one day can be set up.
To enable offline authentication, the PC must be successfully authenticated online once.
Each time the PC is successfully logged in, the offline authentication period is updated.
e.g. Consider an offline expiration of 3 days. If the PC is successfully logged on on April 1st, offline authentication will be enabled from April 1st to April 3rd. If the PC is successfully logged on during the above period, it is effective for an additional 3 days from the date of successful authentication.
Reflection of settings on the terminal
The settings are reflected when the user starts the terminal while it is connected to the network.
How it works on the Mac version
The cache logon feature is always enabled in the Mac version.
If you want the cash logon period to be indefinite
With the paid option "Cache logon indefinite setting", the number of days cache information is valid can be set indefinitely.
Please contact us to inquire about purchasing the "Cash Logon Indefinitely" option.
9-3. Screen lock settings
With screen lock enabled, you can lock the screen automatically when you unplug the YubiKey from the PC's USB port.
Check the"Lock screen when unplugging YubiKey" checkbox.
Click the "Update" button.
Info
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
9-4. Forced YubiKey logon settings
Set the PC to enforce logon using YubiKey when logging on.
Check the "Force a logon using YubiKey" checkbox.
Click the "Update" button.
Info
Reflection of settings on the PC
The settings are reflected when the user starts the PC while it is connected to the network.
Forcing YubiKey on the Mac version
When changing system preferences, the YubiKey is required as well as the password.
9-5. Authentication failure lock settings
Set up your PC to enforce logon using YubiKey when logging on.
If the Authentication failure lock setting is enabled, it is possible to prohibit a terminal from logging on after a certain number of failed logon attempts.
Click the "Update" button.
Info
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
About PC lock
The inability to log on to a terminal is called "PC lock".
Click here to find out how to unlock the PC lock status.
For Mac version
To enable this feature, "Forced YubiKey Logon" must be enabled.
9-6. Unlock settings after an authentication failure lock
Check the "After authentication failure lock, unlock at a certain time"
Enter the time (in minutes) after which the PC can be unlocked.
Click the "Update" button.
Info
Reflection of settings on PC
The settings are reflected when the user starts the PC while it is connected to the network.
Conditions for PC unlocking
PC lock status is released when a certain period of time elapses and when the user starts up the PC while it is connected to the network.
If the setting to unlock after a certain period of time is disabled, the PC lock status will not be released after a certain period of time has elapsed.
9-7. Automatic email notification settings
When there is a change in the status of the PC or service settings, it will automatically notify the members registered in the notification settings.
By default, the representative is set as the recipient of the notification.
Click the settings icon in the top right corner of the service settings screen, and then click "Email notification settings".
Toggle the notification settings to enable/disable.
Check the items to receive notifications for.
Click the "Update" button.
About notification
When "When the PC locked or unlocked" is checked
Notify which terminals have been changed to which state.
When "When changing service settings" is checked
Notification of changes made in service settings, such as cache logon settings.
If you want to change the email recipient
Click here for instructions on how to change email recipients.
10. Operational confirmation
Check whether the user's PC successfully reflects the settings of the group policy.
About Group policy
Group policy allows dividing of service settings for various groups.
For more information, see Group policy settings.
From the menu on the left side of the screen, click the "PC" icon and then click "Service setting".
10-1. Group policy reflection confirmation
There are three types of group policies: "Reflected", " Unreflected", and "Old policy is reflected".
Group policy reflection status
Reflected: The latest group policy is reflected on the PC.
Unreflected: The group policy has not been reflected on the PC.
Old policy is reflected: The old group policy is reflected on the PC.
The following is the procedure to confirm the group policy.
Click on the group policy you wish to review.
Click on the "PC list" tab.
Click on the pull-down under "Status."
Next, click on "Unreflected.
A list of PCs to which the group policy has not yet been applied is displayed.
The "Unreflected" status is indicated by an "X" mark.
Info
To check "Old policy is reflected" status
Clicking "Old policy is reflected" in the "Status" pull-down displays a list of PCs that reflect the old group policy.
If an old policy is reflected, it is indicated by a "warning mark".
When a group policy is changed or another group policy is applied, the "old policy is reflected" status is set.
To check the "Reflected" status
Clicking "Reflected" in the "Status" pull-down displays a list of PCs with the latest group policy reflected.
If the latest group policy is reflected, it is indicated by a "check" mark.
How to reflect the settings on your PC
The Group Policy setting is reflected when the target PC is connected to the network and logs on.
The installation procedure is described above.
11. Additional Information
11-1. Two-factor authentication method for YubiOn Portal site
During login to the YubiOn Portal using two-factor authentication, the member's email address, password, and YubiKey are required.
Info
Only the representative (the first user to register for the YubiOn Portal) can be logged in with only a password if a YubiKey has not been assigned.
Access the login page.
Enter your email address in the email address field and click the Confirm button.
Enter the password in the password field.
Plug the YubiKey into the USB port.
Click the YubiKey input field and tap the YubiKey.
*The YubiKey's one-time password will be entered automatically and the user will be logged in.
After logging in, the "Dashboard" will be displayed.